Hackers access 50 million Facebook profiles

On Friday morning of Facebook’s most tumultuous week in recent memory, the notorious bug-bounty hunter Chang Chi-yuan announced an impressive-sounding stunt. On Sunday, Chang promised to hack the personal Facebook page of Mark Zuckerberg, and broadcast it live on his own Facebook page. He had found a bug that would grant him access to Zuck’s account, he said, and he planned to share it with the world.

After his Facebook post on the subject earned global attention, though, he changed his mind. “I am canceling my live feed, I have reported the bug to Facebook and I will show proof when I get bounty from Facebook,” he told Bloomberg.

But before anyone could be too disappointed, Facebook announced a major (and unrelated, it says) vulnerability of its own. And while no one defaced the CEO’s personal page, hackers gained access to at least 50 million accounts. To its credit, Facebook announced its discovery just three days after learning about it. As a result, details about who did the hacking, and what data they made have made off with, remain sketchy.

Two points guide my thinking here. One, breaches often turn out to be worse than originally thought. That seems particularly worth keeping in mind in a situation like this, where the affected company is only three days into its investigation. Two, unlike the extremely weird Cambridge Analytica story, what happened to these accounts is an actual data breach — and, as such, it could result in the first major fine being handed down as a result of Europe’s General Data Protection Regulation (GDPR).

The attack, which Facebook discovered on Tuesday, exploited a privacy feature known as “View As,” which lets you see what your own profile looks like to someone else.

This attack exploited the complex interaction of multiple issues in our code. It stemmed from a change we made to our video uploading feature in July 2017, which impacted “View As.” The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens.

Since we’ve only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed. We also don’t know who’s behind these attacks or where they’re based. We’re working hard to better understand these details — and we will update this post when we have more information, or if the facts change. In addition, if we find more affected accounts, we will immediately reset their access tokens.

“View As” has been shut down until further notice. A total of 90 million people — the number who used “View As” since the vulnerability was created — will be asked to log in to their accounts again. Victims of the breach will be notified via a banner in the News Feed.

Data breaches are so common that we have become numb to them. I asked my colleague Russell Brandom, who writes about security for us, what mischief you could pull off with full access to someone’s Facebook account. Here are some things of the risks mentioned:

A hacker could message your friends saying you’re in trouble and need them to send you money.

A hacker could sell your account to another bad actor.

A hacker could access your private messages and posts and use them to blackmail you.

The attack relied on a confluence of three separate bugs. Lorenzo Franceschi-Bicchierai and Jason Koebler at Motherboard have a good, succinct explanation of how the attack worked:

The first bug, Rosen explained, caused a video uploader to show up on View As pages “on certain kinds of posts encouraging people to post happy birthday greetings.” Normally, the video uploader should not have showed up. The second bug caused this video uploader to generate an access token that had permission to log into the Facebook mobile app, which is not how this feature “is intended to be used,” according to Rosen.

The final bug, Rosen explained, was that when the video uploader showed up as part of the View As feature, it generated a new access token not for the user, but for the person who they were pretending to be—essentially giving the person using the View As feature the keys to access the account of the person they were simulating. In the example we gave above, this would not only have allowed you to look at John’s profile using the View As John feature, but it also would have generated an access token allowing you to login to and take over John’s account.

Once executed, hackers were sloppy enough that Facebook was able to detect their work simply by noting the large spike in access to user account tokens. Some security pundits believe this could make it less likely that this was a state-sponsored attack. Having gotten this level of access, a state-level actor might have operated in a more targeted fashion, the thinking goes, so as to maximize the time they could spend slurping up data from high-value targets.

Rosen told reporters that the attackers had used Facebook APIs to query basic profile information including user gender and hometown. It’s not immediately clear what that data might be used for. I asked him how, given that hackers had full control over accounts, Facebook would be able to determine which usage was legitimate or illegitimate. Otherwise how could it say no private messages had been accessed? Rosen said that the company will now work to separate illegitimate logins from legitimate ones, and try to disentangle them based on how the user access tokens were acquired.

On the press call, a handful of reporters asked Zuckerberg why they should still trust Facebook with their data. He gently deflected the question, saying that Facebook faces attacks every day, and that they took their responsibilities very seriously. What he wouldn’t say is that, over a long enough time horizon, some hackers will always breach your defenses. For Facebook, the job is to prevent as many as possible from happening. For users, it could be a reason to store less data with Facebook.

Facebook will not have to turn over wiretap voice calls in Messenger in what Reuters’ Dan Levine and Joseph Menn call “a closely watched test case.”

Members of a joint federal and state task force probing the international criminal gang MS-13 had tried in August to hold Facebook in contempt of court for failing to carry out a wiretap order, Reuters reported last month.

Arguments were heard in a sealed proceeding in a U.S. District Court in Fresno, California weeks before 16 suspected gang members were indicted there, but the judge ruled in Facebook’s favor, the sources said.

In 2016, following an election marred by a Russian-backed social media disinformation campaign, Facebook increased its lobbying at the state level by nearly 31 percent from the prior year, according to Sludge’s analysis of lobbying expenditures for 20 states with comprehensive lobbying disclosures.

In 2015, Facebook spent at least $728,000 on lobbying efforts in the states reviewed by Sludge. That figure increased to $952,000 by 2016, shortly after Donald Trump ascended into the presidency. The following year, in 2017, lobbying for the social media giant in these states ballooned to roughly $1.3 million, a 41 percent increase from its pre-presidential election lobbying expenditures in 2015.

Davey Alba and Charlie Warzel report on a meeting between Facebook and activists from Asian countries experiencing misinformation-related problems:

Dubbed an “Integrity, Safety, and Conflict Roundtable” and held at the company’s Menlo Park headquarters in California, the meeting included significant discussion of how Facebook can do a better job of monitoring its platform for the misinformation and inflammatory rhetoric that has been linked to violence and social discord in those countries. Another key topic: discussing individualized content policies designed to address cultural nuance in regions far from the Silicon Valley offices where Facebook is built and managed.

Facebook confirmed the meeting to BuzzFeed News, describing it as “part of our work to better understand the challenges in these countries and improve our policies, products, and programs.”

59% of U.S. teens have been bullied or harassed online, and a similar share says it’s a major problem for people their age. At the same time, teens mostly think teachers, social media companies and politicians are failing at addressing this issue.

Last week, the FBI arrested William Gregory Douglas, 35, outside of an Oregon convenience store after he threatened to kill YouTube employees, including its CEO, Susan Wojcicki. Douglas was arraigned Monday and made his first appearance in court, AP reported yesterday. He’s being charged with cyberstalking and transmitting threats in interstate commerce.

A “quarantine” is when Reddit blocks an offensive subreddit from advertising and search results, among other places. Today it introduced an expanded version of that policy that includes the ability for quarantined subreddits to appeal their case.

Tim Wu, who has a new book out on the subject, takes the opportunity of the Instagram founders leaving to the government to spin it out of Facebook:

A key question has been lost in coverage of the transition: Just why is Facebook in control of Instagram, its greatest natural competitor, in the first place? Isn’t antitrust law supposed to stop companies from buying off their rivals to achieve market dominance? The answer is that we — the Obama administration’s antitrust enforcers — blew it. Our standards for assessing mergers, fixated on consumer prices, were a poor match for the tech economy and are effectively obsolete.

A fixation on consumer prices just doesn’t work for “attention merchants” — those firms that give away “free” products in exchange for time and attention and resell their audiences to advertisers. If a better analysis is used, it becomes clear that the Facebook acquisition of Instagram was illegal to begin with. Fortunately, it is not too late to fix the error. The antitrust authorities have the power to undo the merger and restore real competition.

Can Duruk predicts Instagram will gradually transform into Facebook. I think it’s a good prediction:

There is a third option, in which Instagram itself turns into Facebook. Just a few days before the founders’ departure, news emerged that Instagram might be launching a “regram” feature, akin to retweeting on Twitter. Interestingly enough, Instagram long avoided building such a feature, because the founders feared it would make the product less personal. Such a feature could lead users to feel that their feed no longer contains things they wanted to see, but what others pushed on to them, effectively turning Instagram into Facebook.

In terms of my own work, I don’t personally care what is happening with the founders or the platform. I honestly hate that Instagram and social media are a thing I have to do to remain relevant. Posting is no longer a fun way to share images with friends, but a chore I just have to get over with. If all social media platforms went away, that would be fine with me!

Scott Galloway famously called Amazon’s acquisition of Whole Foods. Now he says the company is likely to buy Snap — and with all the e-commerce experiments inside Snapchat these days, it’s more than plausible. (Weekend thought experiment: what would Snap look like with stable, effective management?)

John Oliver teed off on Facebook for another 20 minutes this week. It only got 2.5 million views on YouTube. Is he losing his edge?